AusCERT 2014: Security in a world of surveillance

Hamish Barwick |
May 16, 2014

Princeton University professor Edward Felten says users need to be kept safe online while the NSA continues its activities.

"You might go to the AusCERT website that, good for them, uses HTTPS by default. If you click on the lock [on the website] you see an explanation of what the certificate is and you can choose whether to trust AusCERT or not."

However, Felten pointed out that further examination of the AusCERT site's HTTPS certificate can be traced back to a company in Sweden called AddTrust.

"My [Web] browser tells me that I trust AddTrust, but that as a factual matter is a false statement. I don't know who AddTrust is."

According to Felten, this puts AddTrust in a position where it can certify that any website is safe and his browser will 'trust' these websites.

He said this is an issue because there are a "substantial number" of forged SSL certificates used on unsafe websites.

Felten added that the typical Internet user goes to sites, such as CNN, that use standard HTTP, rather than HTTPS.

"In the context of HTTP sites, there is a method called opportunistic encryption. It is essentially HTTPS without authentication."

According to Felten, this method, if done right, is secure against some online threats but is not secure against an active adversary such as cyber criminals who can "mess with the messages between the two end points".